IRS Has Risky IT Contracts

The Internal Revenue Service didn’t do enough to mitigate risks in some of its information technology contracts, according to a new report.

J. Russell George

The report, from the Treasury Inspector General for Tax Administration, found the IRS didn’t ensure it mitigated risks for a sampling of IT contracts valued at $81.3 million.

For the report, TIGTA randomly selected 14 out of 6,045 IT contracts awarded between October 2008 and May 2014 to see if the IRS’s post-award controls enabled the agency to mitigate known risks and ensure its operational practices adhered to federal contract administration policies and procedures.

TIGTA found control weaknesses with security compliance reviews, contract file documentation, contractor exclusion reviews, contract administration plans, and contracting officer’s representatives’ appointment letters in the contracts it reviewed. The report said the IRS needs to carefully reexamine its overall operational controls for contract administration and fraud controls for individual IT contracts to ensure post-award contract file reviews are reliable.

“It is critical that the IRS clarify information technology security risks and enforce appropriate controls with its contract review process to ensure compliance with all applicable policy and guidance for information technology contracts,” said TIGTA Inspector General J. Russell George in a statement.

TIGTA recommended the IRS’s chief technology officer ensure the agency’s policy and procedures are updated to provide clear guidance and instructions for the Security Compliance Review Checklist certification process. In addition, the IRS’s chief procurement officer should ensure the IRS improves its policy and procedures to ensure it documents, maintains and reviews its security checklists and maintains its IT contract files in a complete, organized and consistent way for review purposes.

IRS officials agreed with three of the recommendations in the report and partly agreed with two others. But the IRS plans corrective actions for all five recommendations.

In response to the report, the IRS also pointed to the small sample size. “While we generally agree with the recommendations, we have some concerns with certain aspects of the report,” wrote IRS chief technology officer Terence V. Milholland. “The audit’s findings and projections are based on a sample of 14 contracts selected from a population of 6,045 contracts. Based on our knowledge of this population, we do not believe a representative or realistic picture of our implementation of contract controls is reliably created with so few observations.”

TIGTA, for its part, contended its sample selection methodology and statistical projections and other audit evidence adequately supported its audit results and recommendations.